Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
|
|
- Rosa Elliott
- 6 years ago
- Views:
Transcription
1 Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015
2 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical models using normal distributions under key equivalence hypotheses Linear Hull theorem Key variance and more realistic key hypotheses 2/55
3 Expected outcome This lecture provides you with the basic concepts for understanding Matsui s algorithms and more general linear cryptanalysis This lecture is targeted to give you the necessary (and hopefully also sufficient) prerequisites for being able to read recent CRYPTO 2015 paper by Jialin Huang, et al., (and possibly also the one by Bing Sun, et al.) FSE 2013 paper by Andrey Bogdanov and Elmar Tischhauser and goes beyond by presenting a new comprehensive model of Matsui s Algorithm 2 that handles key variance for both wrong keys and right keys. 3/55
4 Section: Linear characteristics and correlations 4/55
5 Symmetric-key encryption k K the key x P the plaintext y C the ciphertext Encryption method is a family {E k } of transformations E k : P C, parametrized using the key k such that for each encryption transformation E k there is a decryption transformation D k : C P, such that D k (E k (x))) = x, for all x P. The spaces are too large to allow deterministic analysis when observing data from a cipher. Therefore we use information theoretic and statistical analysis and consider the key, plaintext and ciphertext as random variables. Assumption: Plaintext and key are independent random variables that follow uniform distribution. 5/55
6 Block cipher The data to be encrypted is split into blocks x i, i = 1,...,N, of fixed length n. A typical value of n is 128. P = C = Z n 2, K = Zl 2. For the purposes of linear cryptanalysis a block cipher is considered as a vectorial Boolean function f : Z n 2 Z l 2 Z n 2 Z l 2 Z n 2, f(x, k) = (x, k, E k (x)) Inner product of a mask u = (u 1,...,u n ) Z n 2 and a data vector x = (x 1,...,x n ) Z n 2 is computed as u x = u 1 x 1 + u 2 x u n x n. Linear approximation with mask triple (u, v, w) of a block cipher is a relation u x + v k + w E k (x). 6/55
7 Correlation Correlation between two Boolean functions f : Z n 2 Z 2 and g : Z n 2 Z 2 is defined as c(f, g) = 2 n (#{x Z n 2 f(x) = g(x)} #{x Z n 2 f(x) g(x)}) Correlation c(f, 0) is called the correlation of f(x) over x, and also denoted as c x (f(x)). Then c x (f(x)) = 2 Pr(f(x) = 0) 1. Linear cryptanalysis makes use of Boolean functions derived from ciphers with large correlations Useful expression: c x (u x + v k + w E k (x)). c x (f(x)) = 2 n x ( 1) f(x), where the sum is taken over integers. 7/55
8 Correlations in iterated block ciphers We focus on key alternating iterated block ciphers. Let (k 1, k 2,...,k r ) be the extended key with the round keys k i derived from master key k. A key-alternating cipher E k has following structure Then E k (x) = g(...g(g(g(x + k 1 )+k 2 )...)+k r ). c x (u x + w E k (x)) = τ r ( 1) τ i k i c z (τ i z +τ i+1 g(z)), i=1 where τ = (τ 1 = u,τ 2,...,τ r,τ r+1 = w). [JD94] x k 1 k 2 k 3 k r g g g g y 8/55
9 Proof in case r = 2 x k 1 g k 2 g E k (x) In this case τ = (u,τ 2, w) c x (u x + w E k (x)) = 2 n x ( 1) u x+w E k(x) = 2 n ( 1) u x+w g(g(x+k 1)+k 2 ) x = 2 2n ( 1) u x+τ 2 g(x+k 1 ) ( 1) τ 2 y+w g(y+k 2 ) τ x y = 2 2n ( 1) u (z1+k1)+τ2 g(z1) τ z 1 z 2 ( 1) τ2 (z2+k2)+w g(z2) = ( 1) u k 1+τ 2 k 2 c z1 (u z 1 +τ 2 g(z 1 ))c z2 (τ 2 z 2 + w g(z 2 )). τ 9/55
10 Linear characteristic Similarly as in the previous proof, we set z 1 = x + k 1 and z i = g(z i 1 )+k i, i = 2,...,r. Let v = (v 1,...,v r, v r+1 ) be an (r + 1)-tuple of masks such that v 1 = u and v r+1 = w. Then r (v i z i + v i+1 g(z i )) = u x + v 1 k v r k r + w E k (x). i=1 The sequence v = (v 1,...,v r, v r+1 ) is called a linear characteristic from u to w over the key-alternating cipher E k. We set v k = v 1 k v r k r. Then the linear characteristic v = (v 1,...,v r, v r+1 ) defines the linear approximation u x + v k + w E k (x). 10/55
11 Correlation of linear characteristic Using c x (u x + w E k (x)) = τ r ( 1) τ k c z (τ i z +τ i+1 g(z)), i=1 where τ = (u,τ 2,...,τ r, w), we obtain c x (u x + v k + w E k (x)) = ( 1) v k c x (u x + w E k (x)) = ( 1) r v k ( 1) τ k c z (τ i z +τ i+1 g(z)) τ i=1 r r = ( 1) τ k c z (τ i z +τ i+1 g(z)). i=1 c z (v i z + v i+1 g(z))+ τ v Taking the average over k = (k 1,...,k r ), where all k i take all possible values, will make the second term vanish if at least one τ i 0. We can state the following theorem. i=1 11/55
12 Average correlation of linear characteristic Assumption. Round keys k 1,...,k r take all possible values. Theorem. Average correlation of a linear characteristic v = (v 1, v 2,...,v r, v r+1 ) from u to w taken over extended keys k = (k 1,...,k r ) is c(u, v, w) = Avg k c x (u x + v k + w E k (x)) r = c z (v i z + v i+1 g(z)) i=1 In the first practical cryptanalysis, the following estimate was used c x(u x + v k + w E k (x)) = ( 1) v k c x(u x + w E k (x)) c(u, v, w) c(u, v, w) was computed using the Piling up lemma under the heuristic assumption of round-independence. We replaced this assumption by assuming independent round keys (i.e., long-key cipher [DR2007]). Is c(u, v, w) a good estimate for any fixed key k? 12/55
13 Case of single dominant characteristic Rewriting the previous equation gives r c x (u x + w E k (x)) ( 1) v k c z (v i z + v i+1 g(z)). (1) The values c x (u x + w E k (x)) are estimated from cipher data. In reality, c x (u x + w E k (x)) = r ( 1) τ k c z (τ i z +τ i+1 g(z)). τ A characteristic v = (v 1,...,v r+1 ) is called dominant characteristic from u to w, if r c(u, v, w) = c z (v i z + v i+1 g(z)) is large, and i=1 i=1 i=1 r c z (τ i z +τ i+1 g(z)) 0, for τ v. i=1 13/55
14 Toy example E k (x) = g(g(x)+k), where g is the AES S-box and k is eight bits. The maximum of c(u x + v g(x)) is 2 3.Then for any 8-bit end masks u and w there exist many characteristics v with equally large correlations c(u, v, w) = 2 6 which is the maximum possible value 2 6. On the other hand, for any given (u, w) the true value c x (u x + w E k (x)) varies a lot with the key k. Consider (u, w) = (, ). Then we have c x (u x + w E k (x)) = 0, for 21 keys k. For these keys, linear cryptanalysis fails! For the remaining 235 keys k we have c x (u x + w E k (x)) 2 6. There are no single dominant characteristics. 14/55
15 Correlations over SPN: S-box layer x = (x 1, x 2,...,x t ) g(x) = (S 1 (x 1 ), S 2 (x 2 ),...,S t (x t )) Assumption: Inputs x j to different S-boxes are independent. u = (u 1, u 2,...,u t ) v = (v 1, v 2,...,v t ) t c x (u x + v g(x)) = c xj (u j x j + v j g(x j )), by the Piling up lemma. To maximize the correlation one usually takes almost all u j and v j equal to zero, since then c xj (u j x j + v j g(x j )) = 1. j=1 15/55
16 Linear characteristics for SPN: linear layer g(x) = Mx c x (u x + v Mx)) = c x (u x + M t v x)) { 1 if u = M = t v 0 otherwise This uniquely determines the masks over the linear layer. Text-books have nice concrete examples of how to construct linear characteristics over SPNs, see [Stinson] or [Knudsen-Robshaw]. 16/55
17 SPN characteristic example 17/55
18 Section: Matsui s algorithms 18/55
19 Empirical correlation Given a sample D of size N of plaintext-ciphertext pairs (x, y = E K (x)) obtained from cipher with unknown key K the empirical correlation (or observed correlation) ĉ(d, K) of linear approximation u x + w y) is computed as ĉ(d, K) = 1 (#{(x, y) u x + w y = 0} #{(x, y) u x + w y 0}) N 19/55
20 Algorithm 1 Matsui s Algorithm 1 is a statistical cryptanalysis method for finding one bit of the key with the following steps 1. Select a linear characteristic v such that the average correlation c = c(u, v, w) deviates from 0 as much as possible. 2. Sample plaintext-ciphertext pairs (x, E K (x)) for a fixed (unknown) key K and determine the empirical correlation ĉ(d, K) of the linear approximation u x + w E K (x) 3. If c and ĉ are of the same sign, output v K = 0. Else output v K = 1. Here estimate (1) is used: c x (u x + w E K (x)) ( 1) v K c(u, v, w). 20/55
21 Algorithm 2 Matsui s Algorithm 2 is a statistical cryptanalysis method for finding a part of the last round key for block ciphers where a relation (last round trick) E k,k r (x) = G kr (E k (x)), where k r is relatively short, can be constructed from the encryption transformation. 1. Select a linear characteristic v such that the average correlation c = c(u, v, w) of the linear approximation u x + v k + w E k (x) deviates from 0 as much as possible. 21/55
22 Algorithm 2, cont d 2. Take a sample D of plaintext-ciphertext pairs (x, E k,k r ) of size N. For each last round key candidate K, compute pairs (x, y = G 1 K (E k,k r (x)) and determine the empirical correlation ĉ(d, K) of the linear approximation u x + w y = 0 3. Output a set of values K that achieve top largest values ĉ(d, K). 4. Additionally, one can determine the value v k as in Algorithm 1. 22/55
23 Key assumptions of Matsui s Algorithm 2 The statistical model of Algorithm 2 relies on two assumptions Hypothesis of right-key equivalence: The observed correlation ĉ(d, K R ) computed from a data sample of size N obtained by partial decryption using the right key candidate K = K R follows, for all K R, normal distribution with parameters Exp D (ĉ(d, K R )) = c, i.e. is the same for all K R Var D (ĉ(d, K R )) = Exp D (ĉ(d, K R ) Exp D (ĉ(d, K R ))) 2 = 1 N. Wrong-key hypothesis: The observed correlation ĉ(d, K W ) computed from a data sample of size N obtained by partial decryption using a wrong key candidate K = K W follows, for all K W, normal distribution with parameters Exp D (ĉ(d, K W )) = 0 Var D (ĉ(d, K W )) = 1 N. 23/55
24 Variance of observed correlation We explain the wrong key variance. Let N be the size of the sample and N 0 be the number of observed pairs (x, y) computed with the wrong key that satisfy u x + w y = 0. N 0 is binomially distributed with expected value N/2 and variance N/4. For large N we can approximate the binomial distribution with the normal one. From ĉ = 2N 0 1 N it follows that Exp D (ĉ(d, K W )) = 0 and Var D (ĉ(d, K W )) = 1 N. The data variance of the correlation computed for the correct key is approximately the same. As N grows the variance decreases. 24/55
25 Normal distributions of observed correlations in Algorithm 2 Legend: black = wrong key, red = right key with Exp D (ĉ(d, K R )) < 0, blue = right key with Exp D (ĉ(d, K R )) > 0 25/55
26 Section: Success probability and data complexity 26/55
27 Statistical tests Linear cryptanalysis makes use of a statistical hypothesis test. Algorithm 1 makes a decision between H 0 : v k = 0 H 1 : v k = 1 Algorithm 2 makes a decision between H 0 H 1 : K = K R, that is, G 1 K (E k,k R (x)) = E k (x), for all x : K = K W, that is, data pairs (x, G 1 K (E k,k R (x)) are not from the cipher 27/55
28 The setting Two normal deviates T W and T R such that T W N(µ W,σ 2 W) and T R N(µ R,σ 2 R). (w.l.g. assume µ W < µ R ) Value of T computed from a sample drawn from either the distribution of T W or the one of T R. The task is to decide which one of the two. 28/55
29 Success probability Threshold value Θ: T Θ T is drawn from the distribution of T W, T Θ T is drawn from the distribution of T R. We set bounds to the error probabilities Pr(T W T > Θ) α 0 and Pr(T R T Θ) α 1, which are satisfied if µ W +σ W ζ 0 Θ µ W σ R ζ 1, where Φ(ζ i ) = 1 α i for i = 1, 2, and Φ is the cumulative distribution function of the standard normal distribution. 29/55
30 Example success area in Algorithm 1 0 c ĉ 30/55
31 Example success area in Algorithm 2 0 c ĉ 31/55
32 Success probability in Algorithm 2 We denote α 0 = 2 a 1 and α 1 = 1 P S, where a is often called the advantage and P S is the success probability that the right key is accepted. The value a indicates how many bits of the right key are correctly determined. Then a set of 2 l a keys remains to be searched. Question: Why α 0 = 2 a 1 and not 2 a? 32/55
33 Success probability in Algorithm 2 Plugging in the parameters of distributions 1 Φ 1 (1 2 a 1 ) Θ c 1 Φ 1 (P S ) N N Such a value Θ exists if P S N Φ( N c Φ 1 (1 2 a 1 ), or equivalently ( Φ 1 (1 2 a 1 )+Φ 1 (P S ) ) 2 c 2 This lower bound of N is an estimate of the data complexity required to get a bits of the right key with success probability P S. 33/55
34 Why α 0 = 1 2 a 1? Answer: Samples computed with wrong keys will be accepted on both sides. To have the total probability less than 2 a both sides must have probability less than 2 a 1. Question: Why the success probability is not halved? Answer: There is only one correct key. It can fail the test only on one side of the distribution. 34/55
35 Statistical model of Algorithm 2 Φ the cumulative distribution function of the standard normal distribution P S success probability, ϕ PS = Φ 1 (P S ) 2 a is the proportion of accepted wrong keys a is the advantage of the attack, ϕ a = Φ 1 (1 2 a 1 ) µ R and σr 2 are the mean and variance of the normal deviate ĉ(d, K R ) for the right key, and µ W and σw 2 are the mean and variance of the normal deviate ĉ(d, K W ) for the wrong key. Then the success probability can be determined by ( ) µr µ W σ W ϕ a P S Φ. σ R 35/55
36 Summary of Algorithm 2 Fix the advantage a, where a t and t is the length in bits of the last round key. Fix the success probability P S Compute the sample size N from ( Φ 1 (1 2 a 1 )+Φ 1 (P S ) ) 2 N = c 2 Use a sample D of N known plaintext-ciphertext pairs Compute the observed correlations for all 2 t last round key candidates. Take those 2 t a of the round key candidates that have the largest empirical correlation (in absolute value). Complement them to full l-bit keys by appending the remaining l t bits to them (assuming the key-schedule allows this). Search the set of 2 l a cipher key candidates exhaustively. 36/55
37 Section: Linear Hull theorem 37/55
38 Fixed-key correlation of a linear characteristic Recall c x (u x + w E k (x)) = τ r ( 1) τ i k i c z (τ i z +τ i+1 g(z)), i=1 where τ = ( u,τ 2,...,τ r, w), and that for any v, c x (u x + v k + w E k (x)) = ( 1) v k c x (u x + w E k (x)) r r = ( 1) τ k c z (τ i z +τ i+1 g(z)). i=1 c z (v i z + v i+1 g(z))+ τ v We also computed the average of this correlation over the keys. The Right Key Hypothesis states that all right keys behave as the average. This is clearly not the case. Next we compute the variance of c x (u x + v k + w E k (x)) as the key k varies. i=1 38/55
39 The Fundamental Theorem By Jensen s inequality Avg k c x (u x + v k + w E k (x)) 2 c(u, v, w) 2, for all v, and in general the strict inequality holds. More accurately, the following theorem holds The Linear Hull Theorem [KN94, KN01, DR2007] If the round keys of a block cipher E k take on all values (aka E k is a long-key cipher), then Avg k c x (u x + w E k (x)) 2 = c(u,τ, w) 2. τ We denote ELP(u, w) = Avg k (c x (u x + w E k (x))) 2 and call it the expected linear potential of (u, w). 39/55
40 Toy example cont d Consider the previous example. We saw that in terms of single characteristics, all (u, w) are about equally good, but there are no dominant characteristics. Also in terms of linear hulls, all (u, w) have about equally large ELP: ELP(, ) = ELP(u, w) = ELP(, ) c(u x + w E k (x)) 2 ELP(, ), for 76 keys k. The weakest of (u, w) is (, ). For this mask pair c x (u x + w E k (x)) = 0, for 33 keys k. For the remaining 223 keys we have c x (u x + w E k (x)) 2 6. c(u x + w E k (x)) 2 ELP(, ), for 80 keys k. 40/55
41 Computing an estimate of ELP(u, w) ELP(u, w) = Avg k c x(u x + w E k (x)) 2 = r c z(τ i z +τ i+1 g(z)) 2 τ 2,...,τ r i=1 = c z(τ r z + w g(z)) 2 c z(τ r 1 z +τ r g(z)) 2 τ r τ r 1 c z(τ 3 z +τ 4 g(z)) 2 τ 2 τ 3 z +τ 3 g(z)) 2 c z(u z +τ c z(τ 2 2 g(z)) 2 This expression gives an iterative algorithm: start from the bottom line to compute for each τ 3 the value on the last line. Can be made feasible by restricting to τ with low Hamming weight and keeping only the largest values from each iteration. Restrictions on τ will lead to a lower bound of ELP(u, w), which is still much larger than any c(u, v, w) 2. 41/55
42 Section: Key variance and more realistic key hypotheses 42/55
43 Key-variance of observed correlation Wrong key case see also [BT2013] The wrong-key hypothesis states that Exp D (ĉ(d, K W )) is equal for all keys K W. This is not true in practice. Denote c(k W ) = Exp D (ĉ(d, K W )). Then Exp KW (c(k W )) = 0 To compute the variance, we use Var KW (c(k W )) = Exp KW ( c(kw ) 2) ( Exp KW (c(k W )) ) 2. By [DR2007], Corollary 7, Exp KW ( c(kw ) 2) = 2 n. Then Var KW (c(k W )) = 2 n. 43/55
44 Key-variance of observed correlation Right key case (New!) The Right-key equivalence hypothesis states that Exp D (ĉ(d, K R ) ) is equal for all keys K R. This is not realistic. Denote Exp D (ĉ(d, K R )) = c(k R ). If c(k R ) > 0 set K R K +. Else K R K Hypothesis of Algorithm 2 (single dominant characteristic): Exp KR K ( c(k R)) Exp KR K +( c(k R)) Denote Exp KR K + ( c(k R)) = c To compute the variance of c(k R ), for K R K + (similarly for K R K ) we apply again the rule Var X (F(X)) = Exp X ( F(X) 2 ) (Exp X (F(X))) 2. Then we get Var KR K + ( c(k R)) = ELP c 2. 44/55
45 Total variance of observed correlation Wrong key case To compute the total variance over data and wrong keys, we recall the rule Var X,Y (F(X, Y)) = Exp X (Var Y (F(X, Y)))+Var X (Exp Y (F(X, Y)))... and get Var D,KW (ĉ(d, K W )) = 1 N + 2 n. 45/55
46 Total variance of observed correlation Right key case To compute the total variance of ĉ(d, K R ) over data and right keys, we use the same rule as above... and get Exp KR (Var D (ĉ(d, K R ))) = 1 N Var KR (Exp D (ĉ(d, K R ))) = Var KR ( c(k R )) = ELP c 2. Var D,KR K + (ĉ(d, K R)) =Var D,KR K (ĉ(d, K R)) = 1 N + ELP c2 46/55
47 How large is the right key variance Matsui s Algorithm uses one dominant characteristic (u, v, w). By the Linear Hull theorem ELP c(u, v, w) 2 = τ v c(u,τ, w) 2, and Exp D,KR ĉ(d, K R ) = c = c(u, v, w). In the ideal case, the sum on the right side of the first equation is the variance of pure noise, which has mean equal to zero and variance equal to 2 n. We obtain ELP c 2 2 n. Note that the classical hypothesis of right key equivalence assumes ELP c 2 = 0. 47/55
48 Recalling the statistical model of Algorithm 2 Φ the cumulative distribution function of the standard normal distribution P S success probability, ϕ PS = Φ 1 (P S ) 2 a is the proportion of accepted wrong keys a is the advantage of the attack, ϕ a = Φ 1 (1 2 a 1 ) µ R and σr 2 are the mean and variance of the normal deviate ĉ(d, K R ) for the right key, and µ W and σw 2 are the mean and variance of the normal deviate ĉ(d, K W ) for the wrong key. Then the success probability can be determined by ( ) µr µ W σ W ϕ a P S Φ. σ R 48/55
49 Success probability and data complexity Now we plug in the new parameters of Matsui s Algorithm 2 to get ( c N ) 1+N2 P S Φ n ϕ a. N(ELP c2 )+1 If ELP = c 2 (key-equivalence) then this is identical to the result in [BT2013] Eq.(6). In reality, we have ELP c 2 > 2 n, and we derive the data complexity estimate as N (ϕ a +ϕ PS ) 2 c 2 (ELP c 2 )(ϕ a +ϕ PS ) 2 +ϕ 2 a(elp c 2 2 n ) 49/55
50 Extensions and variations Zero-correlation: c = c(k R ) = 0 for all keys Is it possible to handle a case with two dominant characteristics? Example [AES book] linear approximation is composed of more than one dominant characteristics c(u x + w E k (x)) = ( 1) γ k c γ +( 1) λ k c λ where c γ and c λ are the correlations of the characteristics Then Avg(c(u x +γ k + w E k (x)) = c γ. But this gives a usable estimate only for a half of the keys. Those are the keys for which λ k = 0 and then For the remaining keys we have c(u x +γ k + w E k (x)) = c γ + c λ c(u x +γ K + w E K (x)) = c γ c λ 0. 50/55
51 The case of about equally small characteristics To resist linear cryptanalysis, [DR2007] advices designers to take care that no single dominant characteristic exists. It will make linear cryptanalysis harder, but not impossible. We have for the right key Exp D (ĉ(d, K R )) = c x (u x + w E k (x)) N(0, ELP) from where we get Theorem 22 of [DR2007] Theorem. If the number of characteristics with non-zero correlation is large and all characteristic correlations are small compared to ELP, then c x (u x + w E k (x)) χ 2 (1) ELP 51/55
52 The case of about equally small characteristics, cont d For the wrong keys Exp D (ĉ(d, K W )) N(0, 2 n ) as before, and 2 n Exp D (ĉ(d, K W )) 2 χ 2 (1) If ELP >> 2 n the distributions of the observed correlations for the wrong keys and right keys can be distinguished. 52/55
53 Multiple/Multidimensional linear cryptanalysis So far we fixed (u, v). By collecting a number, say m, strong linear approximations with different mask pairs (u, w) the sum of their observed squared correlations is a multiple of a χ 2 (m) distributed random variable... provided that the correlations are independent random variables. To overcome this problem, it is possible to consider distributions of data extracted from plaintext-ciphertext pairs with an expected distribution which is far from uniform. Such non-uniform distributions can be found by with the help of linear approximations with high correlations. They may also be found with the help of truncated differentials with high probabilities. 53/55
54 Summary Linear cryptanalysis using one dominant characteristic First the statistical model of observed correlation was presented for a fixed key Traditional key-equivalence hypotheses were stated As they are known not to hold in practice for all keys, we studied the variance in the correlation due to the key for wrong keys and also for right keys. New estimates, with improved theoretical justification, of success probability and data complexity achieved. Among modern ciphers, cases with single dominant linear characteristics are very rare The statistical model for uniformly small characteristics correlations briefly described Enhancements by using more linear approximations was discussed. 54/55
55 Cited papers and books [KN94] K. Nyberg: Linear approximation of block ciphers. In Advances in Cryptology - EUROCRYPT 94, volume 950 of Lecture Notes in Computer Science. Springer-Verlag, [JD94] J. Daemen: Correlation Matrices. In Fast Software Encryption, FSE 2, volume 1008 of Lecture Notes in Computer Science. Springer-Verlag, [KN01] K. Nyberg: Correlation theorems in cryptanalysis. Discrete Applied Mathematics, 111: , [AES book] J. Daemen and V. Rijmen: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer-Verlag, [Stinson] D. R. Stinson: Cryptography: Theory and Practice, 3rd ed.. CRC Press, [Knudsen-Robshaw] L. R. Knudsen and M. Robshaw: The Block Cipher Companion. Springer, [DR2007] Joan Daemen and Vincent Rijmen: Probability distributions of correlation and differentials in block ciphers. J. Mathematical Cryptology, 1(3): , [BT2013] Andrey Bogdanov and Elmar Tischhauser: On the wrong key randomisation and key equivalence hypotheses in Matsui s algorithm 2. FSE 2013, LNCS 8424, pages /55
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationWieringa, Celine; Nyberg, Kaisa Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis
Powered by TCPDF (www.tcpdf.org) This is an electronic reprint of the original article. This reprint may differ from the original in pagination and typographic detail. Wieringa, Celine; Nyberg, Kaisa Improved
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationLinear Cryptanalysis Using Multiple Linear Approximations
Linear Cryptanalysis Using Multiple Linear Approximations Miia HERMELIN a, Kaisa NYBERG b a Finnish Defence Forces b Aalto University School of Science and Nokia Abstract. In this article, the theory of
More informationMultivariate Linear Cryptanalysis: The Past and Future of PRESENT
Multivariate Linear Cryptanalysis: The Past and Future of PRESENT Andrey Bogdanov, Elmar Tischhauser, and Philip S. Vejre Technical University of Denmark, Denmark {anbog,ewti,psve}@dtu.dk June 29, 2016
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationStatistical and Linear Independence of Binary Random Variables
Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract.
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationCryptanalysis of the Full DES and the Full 3DES Using a New Linear Property
Cryptanalysis of the ull DES and the ull 3DES Using a New Linear Property Tomer Ashur 1 and Raluca Posteuca 1 imec-cosic, KU Leuven, Leuven, Belgium [tomer.ashur, raluca.posteuca]@esat.kuleuven.be Abstract.
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationOn Distinct Known Plaintext Attacks
Céline Blondeau and Kaisa Nyberg Aalto University Wednesday 15th of April WCC 2015, Paris Outline Linear Attacks Data Complexity of Zero-Correlation Attacks Theory Experiments Improvement of Attacks Multidimensional
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationIntegral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationLinear Cryptanalysis of DES with Asymmetries
Linear Cryptanalysis of DES with Asymmetries Andrey Bogdanov and Philip S. Vejre Technical University of Denmark {anbog,psve}@dtu.dk Abstract. Linear cryptanalysis of DES, proposed by Matsui in 1993, has
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationRevisiting the Wrong-Key-Randomization Hypothesis
Revisiting the Wrong-Key-Randomization Hypothesis Tomer Ashur, Tim Beyne, and Vincent Rijmen ESAT/COSIC, KU Leuven and iminds, Leuven, Belgium [tomer.ashur,vincent.rijmen] @ esat.kuleuven.be [tim.beyne]
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationImproved Analysis of Some Simplified Variants of RC6
Improved Analysis of Some Simplified Variants of RC6 Scott Contini 1, Ronald L. Rivest 2, M.J.B. Robshaw 1, and Yiqun Lisa Yin 1 1 RSA Laboratories, 2955 Campus Drive San Mateo, CA 94403, USA {scontini,matt,yiqun}@rsa.com
More informationOn Multiple Linear Approximations
On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationHermelin, Miia; Cho, Joo Yeon; Nyberg, Kaisa Multidimensional Linear Cryptanalysis
Powered by TCPDF (www.tcpdf.org) This is an electronic reprint of the original article. This reprint may differ from the original in pagination and typographic detail. Hermelin, Miia; Cho, Joo Yeon; Nyberg,
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationLinks Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities
Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Céline Blondeau and Kaisa Nyberg Department of Information and Computer Science,
More informationExperimenting Linear Cryptanalysis
Experimenting Linear Cryptanalysis Baudoin Collard, François-Xavier Standaert UCL Crypto Group, Microelectronics Laboratory, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationProbability Distributions of Correlation and Differentials in Block Ciphers
J. Math. Crypt. 1 (2007), 12 33 c de Gruyter 2007 Probability Distributions of Correlation and Differentials in Block Ciphers Joan Daemen and Vincent Rijmen Communicated by Communicating Editor Abstract.
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Aalto University School of Science and Nokia, Finland kaisa.nyberg@aalto.fi Abstract. In this invited talk, a brief survey on
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationOn the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2
On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2 Andrey Bogdanov 1 and Elmar Tischhauser 2 1 Technical University of Denmark anbog@dtu.dk 2 KU Leuven and iminds, Belgium
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationChapter 2 - Differential cryptanalysis.
Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationUsing MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism
Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism Mahdi Sajadieh and Mohammad Vaziri 1 Department of Electrical Engineering, Khorasgan Branch, Islamic Azad University,
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationHow Biased Are Linear Biases
How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s
More informationThe Invariant Set Attack 26th January 2017
The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationGENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay
Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,
More informationLinear and Statistical Independence of Linear Approximations and their Correlations
Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway,
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationKFC - The Krazy Feistel Cipher
KFC - The Krazy Feistel Cipher Thomas Baignères and Matthieu Finiasz EPFL CH-1015 Lausanne Switzerland http://lasecwww.epfl.ch Abstract. We introduce KFC, a block cipher based on a three round Feistel
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationProduct Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation
More informationNew Results in the Linear Cryptanalysis of DES
New Results in the Linear Cryptanalysis of DES Igor Semaev Department of Informatics University of Bergen, Norway e-mail: igor@ii.uib.no phone: (+47)55584279 fax: (+47)55584199 May 23, 2014 Abstract Two
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationData complexity and success probability of statisticals cryptanalysis
Data complexity and success probability of statisticals cryptanalysis Céline Blondeau SECRET-Project-Team, INRIA, France Joint work with Benoît Gérard and Jean-Pierre Tillich aaa C.Blondeau Data complexity
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationCryptography - Session 2
Cryptography - Session 2 O. Geil, Aalborg University November 18, 2010 Random variables Discrete random variable X: 1. Probability distribution on finite set X. 2. For x X write Pr(x) = Pr(X = x). X and
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationStatistical Analysis of chi-square A. Author(s)ISOGAI, Norihisa; MIYAJI, Atsuko; NO
JAIST Reposi https://dspace.j Title Statistical Analysis of chi-square A Author(s)ISOGAI, Norihisa; MIYAJI, Atsuko; NO Citation IEICE TRANSACTIONS on Fundamentals o Electronics, Communications and Comp
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationStatistical and Algebraic Properties of DES
Statistical and Algebraic Properties of DES Stian Fauskanger 1 and Igor Semaev 2 1 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway 2 Department of Informatics, University of
More information